Nunchuk apps are NOT vulnerable to the recent NPM security exploit. Our apps are fully native, with no Javascript or NPM dependencies. This was a conscious decision to reduce our supply chain to the bare minimum. We believe that for mission-critical software like a Bitcoin wallet, avoiding Javascript and the web-based ecosystems is a fundamental security principle.